[LØST] Virus e.l tatt over admin-rettigheter og fjernet bla control panel

glimpze · 15. september 2008

Hei!

I sommer da jeg skulle laste ned patch til et spill fikk jeg virus. I alle fall sa norton 2006 klart i fra om at noe var galt med en gang jeg åpnet filen som da skulle vært patchen.

Jeg hadde da både avg og norton 2006 innstalert og aldri hatt problemer med virus før. Det dette gjorde var å ta over admin-rettighetene på maskinen. Bla forsvant control panel fra start menyen og prøvde/prøver jeg å gå inn på control panel eller f.eks klokka nede i høyre hjørnet får jeg bare "the operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator". Viruset gjorde også slik at avg sluttet å virke og norton plutselig manglet mange filer for å fungere skikkelig. Det går heller ikke an å legge inn avg, da det ikke får registrert seg i registeret.

Har likevel prøvd å legge inn nytt avg og norton på nytt, uten at de klarer å scanne registeret og/eller fjerne alle virusene. Eset NOD32 fant 180 threats bare på 25GB windows partisjonen og klarte å fjerne alle utenom ett. Likevel fungerer ingenting. Norton popper hele tiden opp og sier at infostealer.gamepass og trojan vundu og trojan horse kødder til maskinen min. I firefox popper det hele tiden opp nye vindu med iq-tester og reklame.

Problemet er bare at jeg ikke vil formatere, da jeg har flere terra med viktige programmer og spill. Selv om windows partisjonen bare er på 25gb vil jeg nødig legge inn og ordne til alt på nytt av spill og progs.

Kan noen hjelpe meg? Har noen opplevd å bli degradert i systemet på sin egen pc og/eller at control panel er borte fra start-meny? Er det noen virusprogrammer e.l. jeg bør/kan kjøre som kanskje vil ta knekken på driten på dataen min?

På forhånd takk!

Endret 23. september 2008 av glimpze

Stifi · 15. september 2008

Ta en hijackthis test.

https://www.diskusjon.no/index.php?showtopic=575063

http://www.hijackthis.de/

Endret 15. september 2008 av Stifi

norbat · 16. september 2008

Evt. følge veiledningen. Loggene det spørres etter poster du her i din egen tråd.

glimpze · 21. september 2008

Har nå fulgt veiledningen din norbat og etter scanningene finnes control panel atter en gang i start-menyen og jeg har admin rettigheter som å stille klokka igjen :-)

Her kommer loggene, håper på hjelp til å analysere dem:

MBAM:

Klikk for å se/fjerne innholdet nedenfor

<Malwarebytes' Anti-Malware 1.28

Database versjon: 1188

Windows 5.1.2600 Service Pack 2

22.09.2008 00:13:32

mbam-log-2008-09-22 (00-13-32).txt

Skanntype: Rask Skann

Objekter skannet: 42381

Tid tilbakelagt: 3 minute(s), 55 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 20

Registerverdier infisert: 5

Registerfiler infisert: 3

Mapper infisert: 7

Filer infisert: 80

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e89e6ed3-fe6a-4f2e-a822-2f5d70d42506} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{e89e6ed3-fe6a-4f2e-a822-2f5d70d42506} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\Interface\{a3b4ff8a-d3e7-4692-a9b6-971f62802310} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{2b7763c3-642b-4934-902c-72a63a95127a} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ultra soft (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cj.cjmgr (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\MyGlobalSearch (Adware.BookedSpace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm5b086e79 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registerfiler infisert:

HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Downloader) -> Data: j:\windows\system32\winupdate.exe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Downloader) -> Data: system32\winupdate.exe -> Quarantined and deleted successfully.

Mapper infisert:

J:\Program Files\MyGlobalSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

J:\Program Files\MyGlobalSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.

J:\Program Files\MyGlobalSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.

J:\Program Files\MyGlobalSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

J:\Documents and Settings\Administrator\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully.

J:\Program Files\IE Extensions (Trojan.BHO) -> Quarantined and deleted successfully.

J:\Program Files\cjb (Trojan.Agent) -> Quarantined and deleted successfully.

Filer infisert:

J:\WINDOWS\system32\dffsnfij.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\jifnsffd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\ilereynx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\xnyereli.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\incorqgd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\dgqrocni.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\othaugvy.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\ubaitveh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\hevtiabu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\uhntbhhj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\jhhbtnhu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\xtdgswma.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\amwsgdtx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

J:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q5ULUJ6X\silent.dll[2].bak (Trojan.BHO.H) -> Delete on reboot.

J:\Program Files\IE Extensions\cj.v5.dll (Trojan.BHO) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\ghxbhcon.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\kdvpjkvr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\mlqottko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\qfypvjde.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\vqrsnvsw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\bkpkltjj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\dngnvsoo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\dqustmfa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\llyruwbi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\tgeyxswv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\jledpqwf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\jtpbtrnw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\micvwh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\lgedwvje.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\lpsvotkj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\ijopuqna.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\hcklckym.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\Program Files\MyGlobalSearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.

J:\Documents and Settings\Administrator\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

J:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

J:\Program Files\xloader30029.exe (Trojan.Agent) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

J:\Program Files\tmp12130671.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp161875.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp162453.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp162468.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp166390.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp167234.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp170671.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp181859.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp183328.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp183343.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp1988609.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp1988625.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20542093.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20555828.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20561531.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20565250.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20565500.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20576312.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20576531.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20580812.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20580875.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20581343.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20583406.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20584500.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20596218.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20597093.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20597296.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20597890.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20601968.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20613734.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20614875.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp20617625.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp6695015.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\Program Files\tmp6739921.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.

J:\WINDOWS\inf\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully.

J:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.

J:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\BM5b086e79.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\BM5b086e79.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

J:\Program Files\ucleaner_setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

J:\WINDOWS\system32\oqtss.ini (Malware.Trace) -> Quarantined and deleted successfully.>

Combofix:

Klikk for å se/fjerne innholdet nedenfor

<ComboFix 08-09-20.05 - Administrator 2008-09-22 0:24:24.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1613 [GMT 2:00]

Running from: J:\Documents and Settings\Administrator\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

J:\WINDOWS\system32\adaxscou.ini

J:\WINDOWS\system32\bgecrxur.ini

J:\WINDOWS\system32\dfohhrhg.ini

J:\WINDOWS\system32\drivers\mfwljkqo.dat

J:\WINDOWS\system32\jfnswyyj.ini

J:\WINDOWS\system32\kbbxwecy.ini

J:\WINDOWS\system32\kkvjgnsr.ini

J:\WINDOWS\system32\puicukgi.ini

J:\WINDOWS\system32\raqhriqr.ini

J:\WINDOWS\system32\tmrnbuie.ini

U:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_INXBVJFA

-------\Service_inxbvjfa

((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))

.

2008-09-22 00:35 . 2008-09-22 00:35 <DIR> d-------- J:\WINDOWS\LastGood

2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Program Files\Malwarebytes' Anti-Malware

2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-09-21 23:45 . 2008-09-10 00:04 38,528 --a------ J:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-21 23:45 . 2008-09-10 00:03 17,200 --a------ J:\WINDOWS\system32\drivers\mbam.sys

2008-09-15 00:46 . 2008-09-15 00:46 345 --ahs---- J:\WINDOWS\system32\jjjlm.ini2

2008-09-15 00:22 . 2008-09-15 00:22 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\ESET

2008-09-14 11:46 . 2008-09-15 00:39 3,594 ---hs---- J:\WINDOWS\system32\ugllnrob.ini

2008-09-13 11:25 . 2008-09-13 11:25 5,120 --a------ J:\WINDOWS\system32\drivers\wxmaycbn.dat

2008-09-13 06:34 . 2008-09-14 11:45 3,174 ---hs---- J:\WINDOWS\system32\cbnqwbap.ini

2008-09-13 05:21 . 2008-09-13 06:31 2,874 ---hs---- J:\WINDOWS\system32\rfvahswv.ini

2008-09-09 21:08 . 2008-09-11 20:18 2,274 ---hs---- J:\WINDOWS\system32\sgdtkdsi.ini

2008-09-06 20:56 . 2008-09-09 21:05 1,914 ---hs---- J:\WINDOWS\system32\oxjmxidm.ini

2008-09-06 20:40 . 2008-09-06 20:53 1,734 ---hs---- J:\WINDOWS\system32\ssndrmeg.ini

2008-09-06 17:48 . 2008-09-06 17:55 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\TrackMania

2008-09-03 21:16 . 2008-09-04 01:20 594 ---hs---- J:\WINDOWS\system32\ogujxwgb.ini

2008-08-29 01:24 . 2008-08-29 01:24 54,156 --ah----- J:\WINDOWS\QTFont.qfn

2008-08-29 01:24 . 2008-08-29 01:24 1,409 --a------ J:\WINDOWS\QTFont.for

2008-08-28 00:19 . 2008-08-29 02:15 894 ---hs---- J:\WINDOWS\system32\sdvbortn.ini

2008-08-27 22:03 . 2008-08-28 00:16 414 ---hs---- J:\WINDOWS\system32\syrpagqc.ini

2008-08-26 20:36 . 2008-08-27 22:01 2,094 ---hs---- J:\WINDOWS\system32\pcrmwchh.ini

2008-08-26 01:17 . 2008-08-26 20:36 1,614 ---hs---- J:\WINDOWS\system32\blhsqygd.ini

2008-08-25 21:55 . 2008-08-26 01:16 1,314 ---hs---- J:\WINDOWS\system32\hlpossno.ini

2008-08-24 21:31 . 2008-08-25 21:47 1,134 ---hs---- J:\WINDOWS\system32\tveysnxi.ini

2008-08-24 17:15 . 2008-08-24 21:28 534 ---hs---- J:\WINDOWS\system32\uwnjrntw.ini

2008-08-23 17:17 . 2008-08-24 16:42 354 ---hs---- J:\WINDOWS\system32\otmpimul.ini

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-21 21:44 --------- d-----w J:\Program Files\CCleaner

2008-09-15 22:33 --------- d-----w J:\Documents and Settings\All Users\Application Data\avg7

2008-09-15 07:42 --------- d-----w J:\Program Files\DAEMON Tools

2008-09-15 06:00 --------- d-----w J:\Documents and Settings\LocalService\Application Data\AVG7

2008-09-14 22:21 --------- d-----w J:\Program Files\audiograbber

2008-09-06 15:41 --------- d-----w J:\Program Files\mIRC

2008-09-03 22:36 --------- d-----w J:\Program Files\Winamp

2008-08-29 00:12 --------- d-----w J:\Program Files\DC++

2008-08-28 17:34 --------- d-----w J:\Documents and Settings\Administrator\Application Data\AVG7

2008-08-27 23:12 --------- d-----w J:\Documents and Settings\Administrator\Application Data\uTorrent

2008-08-04 13:46 --------- d-----w J:\Program Files\Mozilla Thunderbird

2008-02-25 08:10 318 --sha-w J:\WINDOWS\system32\kjllm.ini2

2008-02-25 12:21 700 --sha-w J:\WINDOWS\system32\oqtss.ini2

2008-03-17 18:15 83,349 --sha-w J:\WINDOWS\system32\orutv.ini2

.

------- Sigcheck -------

2004-08-03 21:56 14336 8f078ae4ed187aaabc0a305146de6716 J:\WINDOWS\system32\svchost.exe

2005-10-13 18:06 577024 1800f293bccc8ede8a70e12b88d80036 J:\WINDOWS\$NtUninstallKB925902$\user32.dll

2007-03-08 17:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b J:\WINDOWS\system32\user32.dll

2007-03-08 17:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b J:\WINDOWS\system32\dllcache\user32.dll

2004-08-03 21:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 J:\WINDOWS\system32\ws2_32.dll

2005-10-14 13:47 360448 b51b0046d15982530af09f3d01ff48ab J:\WINDOWS\$NtUninstallKB913446$\tcpip.sys

2006-01-13 19:07 360448 5562cc0a47b2aef06d3417b733f3c195 J:\WINDOWS\$NtUninstallKB917953$\tcpip.sys

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 J:\WINDOWS\$NtUninstallKB941644$\tcpip.sys

2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 J:\WINDOWS\system32\dllcache\tcpip.sys

2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 J:\WINDOWS\system32\drivers\tcpip.sys

2004-08-03 21:56 502272 01c3346c241652f43aed8e2149881bfe J:\WINDOWS\system32\winlogon.exe

2004-08-03 20:14 182912 558635d3af1c7546d26067d5d9b6959e J:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 20:00 29056 4448006b6bc60e6c027932cfc38d6855 J:\WINDOWS\system32\drivers\ip6fw.sys

2005-11-28 13:10 2015744 48472d224e1703882b4de0e28e205e9b J:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe

2006-12-19 18:12 2017280 fa64f313f5237c53a909906113acae7d J:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe

2007-02-28 11:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba J:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe

2007-02-28 11:15 2017280 2dfb215e291e3d9b1cf9a6739b3bf16c J:\WINDOWS\system32\ntkrnlpa.exe

2007-02-28 11:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba J:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-10-14 14:49 2136064 25c36dbc46e8eff2a811769a60715ac5 J:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe

2006-12-19 18:49 2137600 57b9d140e1eb8b0ea06df927b63b0eee J:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe

2007-02-28 11:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 J:\WINDOWS\Driver Cache\i386\ntoskrnl.exe

2007-02-28 11:53 2137600 e6679c3023b17d8b78946bc5df53fa20 J:\WINDOWS\system32\ntoskrnl.exe

2007-02-28 11:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 J:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 13:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 J:\WINDOWS\explorer.exe

2005-10-15 05:37 1032192 45757077a47c68a603a79b03a1a836ab J:\WINDOWS\$NtUninstallKB938828$\explorer.exe

2007-06-13 13:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 J:\WINDOWS\system32\dllcache\explorer.exe

2004-08-03 21:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 J:\WINDOWS\system32\services.exe

2004-08-03 21:56 13312 84885f9b82f4d55c6146ebf6065d75d2 J:\WINDOWS\system32\lsass.exe

2004-08-03 21:56 15360 24232996a38c0b0cf151c2140ae29fc8 J:\WINDOWS\system32\ctfmon.exe

2005-10-13 18:06 57856 ad3d9d191aea7b5445fe1d82ffbb4788 J:\WINDOWS\system32\spoolsv.exe

2004-08-03 21:56 24576 39b1ffb03c2296323832acbae50d2aff J:\WINDOWS\system32\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="J:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]

"TaskSwitchXP"="J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="J:\WINDOWS\system32\NvCpl.dll" [2005-10-10 7286784]

"NvMediaCenter"="J:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 86016]

"WinampAgent"="J:\Program Files\Winamp\winampa.exe" [2005-12-09 35328]

"snpstd"="J:\WINDOWS\vsnpstd.exe" [2003-12-31 40960]

"RemoteControl"="J:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"ccApp"="J:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 52840]

"NeroFilterCheck"="J:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]

"PinnacleDriverCheck"="J:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 406016]

"KillCopy"="J:\Program Files\KillSoft\KillCopy\kcresume.exe" [2006-08-07 295424]

"QuickTime Task"="J:\Program Files\QuickTime\qttask.exe" [2006-10-17 98304]

"DAEMON Tools"="J:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]

"NVIDIA nTune"="J:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2006-10-31 81920]

"amd_dc_opt"="J:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]

"Symantec PIF AlertEng"="J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 J:\WINDOWS\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2005-10-10 J:\WINDOWS\system32\nwiz.exe]

"Resume copy"="copyfstq.exe" [2002-03-24 J:\WINDOWS\COPYFSTQ.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="J:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 15360]

"TaskSwitchXP"="J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"nlhr"="J:\WINDOWS\System32\AdvPack.Dll" [2007-08-13 123904]

"tscuninstall"="J:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 44544]

J:\Documents and Settings\Administrator\Start Menu\Programs\Startup\

Adobe Gamma.lnk - J:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

PowerReg Scheduler V3.exe [2006-07-21 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDesktopCleanupWizard"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoInstrumentation"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoInstrumentation"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=tqoghn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.DIV3"= J:\PROGRA~1\K-LITE~1\codecs\DivXc32.dll

"VIDC.DIV4"= J:\PROGRA~1\K-LITE~1\codecs\DivXc32f.dll

"VIDC.3iv2"= J:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL

"VIDC.HFYU"= J:\PROGRA~1\K-LITE~1\codecs\huffyuv.dll

"vidc.i263"= i263_32.drv

"VIDC.VP70"= J:\PROGRA~1\K-LITE~1\codecs\vp7vfw.dll

"VIDC.VP31"= J:\PROGRA~1\K-LITE~1\codecs\vp31vfw.dll

"VIDC.MP43"= J:\PROGRA~1\K-LITE~1\codecs\Mpg4c32.dll

"VIDC.FFDS"= J:\PROGRA~1\K-LITE~1\ffdshow\ff_vfw.dll

"msacm.ac3acm"= J:\PROGRA~1\K-LITE~1\codecs\ac3acm.acm

"msacm.lameacm"= J:\PROGRA~1\K-LITE~1\codecs\lameACM.acm

"msacm.l3fhg"= J:\PROGRA~1\K-LITE~1\codecs\l3codecp.acm

"msacm.divxa32"= J:\PROGRA~1\K-LITE~1\codecs\divxa32.acm

"msacm.imc"= imc32.acm

"VIDC.MJPG"= Pvmjpg30.dll

"VIDC.PIM1"= pclepim1.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"K:\\Spill\\Battlefield 2\\BF2.exe"=

"J:\\Program Files\\BitComet\\BitComet.exe"=

"J:\\Program Files\\LimeWire\\LimeWire.exe"=

"J:\\Program Files\\Valve\\hl.exe"=

"K:\\Spill\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe"=

"J:\\Program Files\\mIRC\\mirc.exe"=

"J:\\Program Files\\DC++\\DCPlusPlus.exe"=

"J:\\Program Files\\Azureus\\Azureus.exe"=

"K:\\Spill\\Steam\\SteamApps\\[email protected]\\half-life 2 deathmatch\\hl2.exe"=

"K:\\Spill\\Steam\\SteamApps\\[email protected]\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"=

"K:\\Spill\\Steam\\SteamApps\\[email protected]\\counter-strike source\\hl2.exe"=

"K:\\Spill\\Steam\\SteamApps\\[email protected]\\half-life\\hl.exe"=

"K:\\Spill\\Need For Speed Most Wanted\\speed.exe"=

"C:\\Innstallere\\aoe2 on 85.19.151.132\\age2_x1.exe"=

"\\\\prestjord\\aoe2 on 85.19.151.132\\age2_x1.exe"=

"J:\\WINDOWS\\system32\\dplaysvr.exe"=

"K:\\Spill\\Call Of Duty 2\\CoD2MP_s.exe"=

"J:\\WINDOWS\\system32\\dpvsetup.exe"=

"K:\\Spill\\Steam\\SteamApps\\[email protected]\\team fortress classic\\hl.exe"=

"E:\\FRA 80 GB\\Spill\\-=Red Alert 2=-\\GAME.EXE"=

"J:\\Program Files\\FlashFXP\\flashfxp.exe"=

"C:\\Spill\\Quake 4\\Quake4.exe"=

"C:\\Spill\\TrackMania Nations ESWC\\TmNationsESWC.exe"=

"J:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=

"J:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=

"J:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=

"J:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

"J:\\WINDOWS\\system32\\dxdiag.exe"=

"J:\\WINDOWS\\system32\\dpnsvr.exe"=

"Q:\\Spill\\cs 1.6\\hl.exe"=

"Q:\\Spill\\Generals\\game.dat"=

"Q:\\Spill\\Generals Zero Hour\\game.dat"=

"K:\\Spill\\Age Of Empires 3\\age3.exe"=

"Q:\\Spill\\Colin McRae 04\\cmr4.exe"=

"C:0\\Spill\\The Lord Of The Rings - The Battle For Middle Earth 2\\game.dat"=

"C:4\\Spill\\MotoGP2\\motogp2.exe"=

"C:\\Spill\\cs 1.6\\hl.exe"=

"C:0\\Spill\\Act Of War\\ACTOFWAR.EXE"=

"C:0\\Spill\\The First Decade\\Command & Conquer Generals Zero Hour\\generals.exe"=

"J:\\Program Files\\uTorrent\\utorrent.exe"=

"C:0\\Spill\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"=

"C:0\\Spill\\Worms Forts Under Siege\\WF.exe"=

"E:\\FRA 80 GB\\Spill\\Unreal Tournament\\System\\UnrealTournament.exe"=

"J:\\Program Files\\WebEye\\WebEye.exe"=

"C:0\\Spill\\Worms 2\\frontend.exe"=

"C:0\\Spill\\Worms_2\\worms2.exe"=

"\\\\paul\\Upload\\worms2.exe"=

"K:\\Spill\\Steam\\SteamApps\\[email protected]\\garrysmod\\hl2.exe"=

"J:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"C:0\\Spill\\Outrun 2006 - Coast To Coast\\OR2006C2C.EXE"=

"J:\\Program Files\\Skype\\Phone\\Skype.exe"=

"J:\\Program Files\\Hamachi\\hamachi.exe"=

"J:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"J:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:7\\Spill\\Company Of Heroes - Opposing Force\\RelicCOH.exe"=

"C:7\\Spill\\ISO\\FlatOut2 på bernt\\FlatOut2.exe"=

"R:\\Spill\\C&C3 Tiberium Wars\\RetailExe\\1.0\\cnc3game.dat"=

"C:6\\Spill\\Company Of Heroes\\RelicCOH.exe"=

"C:6\\Spill\\FlatOut2\\FlatOut2.exe"=

"C:0\\Spill\\TmNationsForever\\TmForever.exe"=

"C:0\\Spill\\TmUnitedForever\\TmForever.exe"=

R0 Pnp680;SiI 680 ATA Controller;J:\WINDOWS\system32\DRIVERS\pnp680.sys [2002-03-15 37031]

R0 WDMCAPI;ISDN PCI CAPI;J:\WINDOWS\system32\DRIVERS\WDMCAPI.sys [2002-04-24 612669]

R2 UxTuneUp;TuneUp Design Expansion;J:\WINDOWS\System32\svchost.exe [2004-08-03 14336]

R3 WDMWANMP;NDIS WAN miniport;J:\WINDOWS\system32\DRIVERS\wdmwanmp.sys [2002-03-26 26067]

S1 SysTool;SysTool Overclocking Utility;J:\WINDOWS\system32\DRIVERS\SysTool.sys [2005-09-26 24064]

S3 RivaTunerEx;RivaTunerEx;L:\Program Filer\Riva Tuner\RivaTunerEx.sys [2004-10-04 2560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\autorun.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]

\Shell\AutoRun\command - P:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebe9a054-6b1d-11da-98d7-806d6172696f}]

\Shell\AutoRun\command - G:\POV.exe

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

BHO-{030240BC-71F3-47F4-9ABD-BC2F4AADE783} - (no file)

BHO-{040C4F7C-6248-4D45-A893-3AEF4DE3320b} - (no file)

BHO-{30240BC9-71F3-47F4-9ABD-BC2F4AADE783} - (no file)

BHO-{7e7b7e1f-cebb-4519-8d1a-8cb1173634f3} - (no file)

BHO-{A3A0458B-6004-457A-B913-ACC035F77547} - (no file)

BHO-{E89E6ED3-FE6A-4F2E-A822-2F5D70D42506} - J:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q5ULUJ6X\silent.dll[2].bak

HKU-Default-Run-Free Download Manager - J:\Program Files\Free Download Manager\fdm.exe

.

------- File Associations -------

.

inffile=J:\WINDOWS\system32\NOTEPAD2.EXE %1

inifile=J:\WINDOWS\system32\NOTEPAD2.EXE %1

txtfile=J:\WINDOWS\system32\NOTEPAD2.EXE %1

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-22 00:35:27

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

J:\WINDOWS\LastGood

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\61883]

"ImagePath"="system32\DRIVERS\61883.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]

"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Adobe LM Service]

"ImagePath"="\"J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]

"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]

"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALCXWDM]

"ImagePath"="system32\drivers\ALCXWDM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]

"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]

"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdK8]

"ImagePath"="system32\DRIVERS\AmdK8.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdLLD]

"ImagePath"="system32\DRIVERS\AmdLLD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]

"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Arp1394]

"ImagePath"="system32\DRIVERS\arp1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASAPIW2K]

"ImagePath"="\??\J:\WINDOWS\system32\Drivers\asapiW2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]

"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]

"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]

"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]

"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]

"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]

"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Automatic LiveUpdate Scheduler]

"ImagePath"="\"J:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avc]

"ImagePath"="system32\DRIVERS\avc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]

"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]

"ServiceDll"="%systemroot%\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]

"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

"ImagePath"="\??\J:\ComboFix\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE]

"ImagePath"="system32\DRIVERS\CCDECODE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]

"ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccSetMgr]

"ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]

"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]

"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]

"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]

"ImagePath"="J:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]

"ImagePath"="J:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]

"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]

"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]

"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]

"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]

"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]

"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]

"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]

"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]

"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]

"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]

"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]

"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eeCtrl]

"ImagePath"="\??\J:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ENTECH]

"ImagePath"="\??\J:\WINDOWS\system32\DRIVERS\ENTECH.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EraserUtilRebootDrv]

"ImagePath"="\??\J:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]

"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]

"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]

"ServiceDll"="J:\WINDOWS\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]

"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]

"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]

"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GMSIPCI]

"ImagePath"="\??\G:\INSTALL\GMSIPCI.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]

"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hamachi]

"ImagePath"="system32\DRIVERS\hamachi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]

"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]

"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb]

"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]

"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]

"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]

"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]

"ImagePath"="\"J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]

"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]

"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]

"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]

"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]

"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]

"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]

"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]

"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]

"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]

"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]

"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]

"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]

"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]

"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LiveUpdate]

"ImagePath"="\"J:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LiveUpdate Notice Service]

"ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe\" /m \"J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]

"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarvinBus]

"ImagePath"="system32\DRIVERS\MarvinBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]

"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]

"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]

"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]

"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]

"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]

"ImagePath"="J:\WINDOWS\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDV]

"ImagePath"="system32\DRIVERS\msdv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]

"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]

"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]

"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]

"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]

"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]

"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]

"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\navapsvc]

"ImagePath"="J:\Program Files\Norton AntiVirus\navapsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG]

"ImagePath"="\??\J:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080921.003\NAVENG.Sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15]

"ImagePath"="\??\J:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080921.003\NavEx15.Sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]

"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]

"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]

"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]

"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]

"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]

"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]

"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]

"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]

"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIC1394]

"ImagePath"="system32\DRIVERS\nic1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]

"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NPFMntor]

"ImagePath"="\"J:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSCService]

"ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]

"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nTuneService]

"ImagePath"="J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nv]

"ImagePath"="system32\DRIVERS\nv4_mini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvatabus]

"ImagePath"="system32\DRIVERS\nvatabus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvcap]

"ImagePath"="system32\DRIVERS\nvcap.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVENETFD]

"ImagePath"="system32\DRIVERS\NVENETFD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvnetbus]

"ImagePath"="system32\DRIVERS\nvnetbus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVR0Dev]

"ImagePath"="\??\J:\WINDOWS\nvoclock.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVSvc]

"ImagePath"="%SystemRoot%\system32\nvsvc32.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVXBAR]

"ImagePath"="system32\DRIVERS\NVxbar.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]

"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]

"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohci1394]

"ImagePath"="system32\DRIVERS\ohci1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]

"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]

"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]

"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCLEPCI]

"ImagePath"="\??\J:\WINDOWS\system32\drivers\pclepci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]

"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pnp680]

"ImagePath"="system32\DRIVERS\pnp680.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]

"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Processor]

"ImagePath"="system32\DRIVERS\processr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\prodrv06]

"ImagePath"="\SystemRoot\System32\drivers\prodrv06.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\prohlp02]

"ImagePath"="System32\drivers\prohlp02.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\prosync1]

"ImagePath"="System32\drivers\prosync1.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]

"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]

"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]

"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]

"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]

"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]

"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]

"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]

"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]

"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]

"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]

"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]

"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]

"ImagePath"="J:\WINDOWS\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]

"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]

"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]

"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RivaTunerEx]

"ImagePath"="\??\L:\Program Filer\Riva Tuner\RivaTunerEx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]

"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]

"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]

"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="\??\J:\Program Files\Norton AntiVirus\SAVRT.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRTPEL]

"ImagePath"="\??\J:\Program Files\Norton AntiVirus\SAVRTPEL.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVScan]

"ImagePath"="\"J:\Program Files\Norton AntiVirus\SAVScan.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]

"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]

"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]

"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]

"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]

"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]

"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]

"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfdrv01]

"ImagePath"="System32\drivers\sfdrv01.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfhlp01]

"ImagePath"="System32\drivers\sfhlp01.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfhlp02]

"ImagePath"="System32\drivers\sfhlp02.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfsync04]

"ImagePath"="System32\drivers\sfsync04.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfvfs02]

"ImagePath"="System32\drivers\sfvfs02.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]

"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP]

"ImagePath"="system32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\snpstd]

"ImagePath"="system32\DRIVERS\snpstd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPBBCDrv]

"ImagePath"="\??\J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPBBCSvc]

"ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]

"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]

"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sptd]

"ImagePath"="System32\Drivers\sptd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sr]

"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]

"ServiceDll"="J:\WINDOWS\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]

"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]

"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]

"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip]

"ImagePath"="system32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]

"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]

"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]

"ImagePath"="J:\WINDOWS\system32\dllhost.exe /Processid:{43C1B264-055C-45A5-88BF-AF4D361BA3CF}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symantec Core LC]

"ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMDNS]

"ImagePath"="\SystemRoot\System32\Drivers\SYMDNS.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymEvent]

"ImagePath"="\??\J:\WINDOWS\system32\Drivers\SYMEVENT.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMFW]

"ImagePath"="\SystemRoot\System32\Drivers\SYMFW.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMIDS]

"ImagePath"="\SystemRoot\System32\Drivers\SYMIDS.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMIDSCO]

"ImagePath"="\??\J:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20080221.002\symidsco.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symlcbrd]

"ImagePath"="\??\J:\WINDOWS\system32\drivers\symlcbrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMNDIS]

"ImagePath"="\SystemRoot\System32\Drivers\SYMNDIS.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMREDRV]

"ImagePath"="\SystemRoot\System32\Drivers\SYMREDRV.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]

"ImagePath"="\SystemRoot\System32\Drivers\SYMTDI.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]

"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]

"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysTool]

"ImagePath"="system32\DRIVERS\SysTool.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]

"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]

"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]

"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]

"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]

"ImagePath"="J:\WINDOWS\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]

"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UMWdf]

"ImagePath"="J:\WINDOWS\system32\wdfmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]

"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]

"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]

"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]

"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]

"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]

"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbohci]

"ImagePath"="system32\DRIVERS\usbohci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]

"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]

"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]

"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usnjsvc]

"ImagePath"="\"J:\Program Files\MSN Messenger\usnsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UxTuneUp]

"ServiceDll"="%SystemRoot%\System32\uxtuneup.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]

"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]

"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]

"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]

"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]

"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDMCAPI]

"ImagePath"="system32\DRIVERS\WDMCAPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDMWANMP]

"ImagePath"="system32\DRIVERS\wdmwanmp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]

"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]

"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]

"ServiceDll"="J:\WINDOWS\system32\mspmsnsv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]

"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]

"ImagePath"="J:\WINDOWS\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC]

"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]

"ServiceDll"="J:\WINDOWS\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]

"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]

"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{328C3FD6-1DD5-42DC-8F82-B35B0A61A5BE}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{765599F0-9710-4F28-BBC3-8A262E5B608E}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{7684FE3B-C811-488D-BEE9-FA573F6414FB}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DB47941E-2520-466D-966E-599EE90F5D0E}]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: J:\WINDOWS\system32\lsass.exe

-> J:\Program Files\NetLimiter\nl_lsp.dll

-> J:\WINDOWS\system32\nl_msgc.dll

.

------------------------ Other Running Processes ------------------------

.

J:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE

J:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE

J:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

J:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

J:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

J:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE

J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

J:\WINDOWS\system32\nvsvc32.exe

J:\WINDOWS\system32\rundll32.exe

J:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

.

**************************************************************************

.

Completion time: 2008-09-22 1:19:06 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-21 23:19:03

Pre-Run: 158 339 072 bytes free

Post-Run: 12,075,008 bytes free

908 --- E O F --- 2008-03-24 13:33:01>

HiJack-this:

Klikk for å se/fjerne innholdet nedenfor

<Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:25:44, on 22.09.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

J:\WINDOWS\System32\smss.exe

J:\WINDOWS\system32\winlogon.exe

J:\WINDOWS\system32\services.exe

J:\WINDOWS\system32\lsass.exe

J:\WINDOWS\system32\svchost.exe

J:\WINDOWS\System32\svchost.exe

J:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

J:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

J:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

J:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

J:\WINDOWS\system32\spoolsv.exe

J:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

J:\Program Files\Norton AntiVirus\navapsvc.exe

J:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

J:\WINDOWS\system32\nvsvc32.exe

J:\WINDOWS\system32\svchost.exe

J:\WINDOWS\SOUNDMAN.EXE

J:\WINDOWS\system32\RUNDLL32.EXE

J:\Program Files\Winamp\winampa.exe

J:\WINDOWS\vsnpstd.exe

J:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

J:\Program Files\Common Files\Symantec Shared\ccApp.exe

J:\Program Files\QuickTime\qttask.exe

J:\Program Files\DAEMON Tools\daemon.exe

J:\WINDOWS\system32\ctfmon.exe

J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

J:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

J:\WINDOWS\explorer.exe

J:\WINDOWS\system32\notepad.exe

J:\Program Files\Mozilla Firefox\firefox.exe

J:\Documents and Settings\Administrator\Desktop\Testttt\testttt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - J:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - J:\PROGRA~1\FlashFXP\IEFlash.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - J:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE J:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup

O4 - HKLM\..\Run: [WinampAgent] J:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [snpstd] J:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [RemoteControl] "J:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [ccApp] "J:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] J:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] J:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [KillCopy] J:\Program Files\KillSoft\KillCopy\kcresume.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools] "J:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NVIDIA nTune] "J:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKLM\..\Run: [amd_dc_opt] J:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKCU\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TaskSwitchXP] J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] J:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = J:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: PowerReg Scheduler V3.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.c2i.net/

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - J:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: tqoghn.dll

O23 - Service: Adobe LM Service - Adobe Systems - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - J:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Indexing Service (CiSvc) - Unknown owner - J:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - J:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - J:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - J:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: nTune Service (nTuneService) - NVIDIA - J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - J:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 8174 bytes>

edit: Hva bør jeg nå gjøre? Innstallere nytt antivirus-prog? Har jo bare norton 2006 og avg free. Bør jeg ha på windows brannmur?

Endret 21. september 2008 av glimpze

r2d290 · 22. september 2008

Det du kan gjøre er:

Last ned Vundofix til skrivebordet

Dobbeltklikk på Vundufix.exe

Klikk på Scan for Vundo-knappen

Klikk på Remove Vundo-knappen

Svar ja og ok på de vinduene som kommer

Det lages en logg (C:\vundofix.txt) som du poster senere.

Lag deretter en ny combofix-logg, og post denne sammen med vundofix-loggen

glimpze · 22. september 2008

Det du kan gjøre er:
Last ned Vundofix til skrivebordet

Dobbeltklikk på Vundufix.exe

Klikk på Scan for Vundo-knappen

Klikk på Remove Vundo-knappen

Svar ja og ok på de vinduene som kommer

Det lages en logg (C:\vundofix.txt) som du poster senere.

Lag deretter en ny combofix-logg, og post denne sammen med vundofix-loggen

Dette har jeg gjort og her kommet loggene:

VunduFix:

Klikk for å se/fjerne innholdet nedenfor

<

VundoFix V7.0.6

Scan started at 22:29:16 22.09.2008

Listing files found while scanning....

J:\Windows\system32\lhbobpwp.dll

J:\Windows\system32\phrltvbk.dll

Beginning removal...

Attempting to delete J:\Windows\system32\lhbobpwp.dll

J:\Windows\system32\lhbobpwp.dll Has been deleted!

Attempting to delete J:\Windows\system32\phrltvbk.dll

J:\Windows\system32\phrltvbk.dll Has been deleted!

Performing Repairs to the registry.

Done!>

Når jeg kopierer inn ComboFix loggen blir bare posten min helt blank, som den over. Både inni skjul og om jeg bare kopierer den inn rett her. Hva er galt?

Endret 22. september 2008 av glimpze

r2d290 · 22. september 2008

www.pastebin.no

Kopier den inn der, og legg linken inn på forumet

glimpze · 22. september 2008

www.pastebin.no

Kopier den inn der, og legg linken inn på forumet

ComboFix logg 2:

http://www.pastebin.no/35444

norbat · 22. september 2008

Åpne notisblokk og kopier inn det som står i fet skrift under. Lagre fila på skrivebordet som CFScript.txt

Dra fila og slipp den over Combofix-iconet. Combofix vil starte igjen:

killall::

snapshot::

File::

J:\WINDOWS\system32\jjjlm.ini2

J:\WINDOWS\system32\ugllnrob.ini

J:\WINDOWS\system32\cbnqwbap.ini

J:\WINDOWS\system32\rfvahswv.ini

J:\WINDOWS\system32\sgdtkdsi.ini

J:\WINDOWS\system32\oxjmxidm.ini

J:\WINDOWS\system32\ssndrmeg.ini

J:\WINDOWS\system32\ogujxwgb.ini

J:\WINDOWS\system32\sdvbortn.ini

J:\WINDOWS\system32\syrpagqc.ini

J:\WINDOWS\system32\pcrmwchh.ini

J:\WINDOWS\system32\blhsqygd.ini

J:\WINDOWS\system32\hlpossno.ini

J:\WINDOWS\system32\tveysnxi.ini

J:\WINDOWS\system32\uwnjrntw.ini

J:\WINDOWS\system32\otmpimul.ini

J:\WINDOWS\system32\kjllm.ini2

J:\WINDOWS\system32\oqtss.ini2

J:\WINDOWS\system32\orutv.ini2

J:\WINDOWS\system32\drivers\wxmaycbn.dat

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=-

Post loggen

Endret 22. september 2008 av norbat

glimpze · 22. september 2008

Gjorde som du sa norbat, her er ComboFix logg 3:

Klikk for å se/fjerne innholdet nedenfor

<ComboFix 08-09-20.05 - Administrator 2008-09-23 1:10:36.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1651 [GMT 2:00]

Running from: J:\Documents and Settings\Administrator\Desktop\ComboFix.exe

Command switches used :: J:\Documents and Settings\Administrator\Desktop\CFScript.txt

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

J:\WINDOWS\system32\blhsqygd.ini

J:\WINDOWS\system32\cbnqwbap.ini

J:\WINDOWS\system32\drivers\wxmaycbn.dat

J:\WINDOWS\system32\hlpossno.ini

J:\WINDOWS\system32\jjjlm.ini2

J:\WINDOWS\system32\kjllm.ini2

J:\WINDOWS\system32\ogujxwgb.ini

J:\WINDOWS\system32\oqtss.ini2

J:\WINDOWS\system32\orutv.ini2

J:\WINDOWS\system32\otmpimul.ini

J:\WINDOWS\system32\oxjmxidm.ini

J:\WINDOWS\system32\pcrmwchh.ini

J:\WINDOWS\system32\rfvahswv.ini

J:\WINDOWS\system32\sdvbortn.ini

J:\WINDOWS\system32\sgdtkdsi.ini

J:\WINDOWS\system32\ssndrmeg.ini

J:\WINDOWS\system32\syrpagqc.ini

J:\WINDOWS\system32\tveysnxi.ini

J:\WINDOWS\system32\ugllnrob.ini

J:\WINDOWS\system32\uwnjrntw.ini

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

J:\WINDOWS\system32\blhsqygd.ini

J:\WINDOWS\system32\cbnqwbap.ini

J:\WINDOWS\system32\drivers\wxmaycbn.dat

J:\WINDOWS\system32\hlpossno.ini

J:\WINDOWS\system32\jjjlm.ini2

J:\WINDOWS\system32\kjllm.ini2

J:\WINDOWS\system32\ogujxwgb.ini

J:\WINDOWS\system32\oqtss.ini2

J:\WINDOWS\system32\orutv.ini2

J:\WINDOWS\system32\otmpimul.ini

J:\WINDOWS\system32\oxjmxidm.ini

J:\WINDOWS\system32\pcrmwchh.ini

J:\WINDOWS\system32\rfvahswv.ini

J:\WINDOWS\system32\sdvbortn.ini

J:\WINDOWS\system32\sgdtkdsi.ini

J:\WINDOWS\system32\ssndrmeg.ini

J:\WINDOWS\system32\syrpagqc.ini

J:\WINDOWS\system32\tveysnxi.ini

J:\WINDOWS\system32\ugllnrob.ini

J:\WINDOWS\system32\uwnjrntw.ini

.

((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))

.

2008-09-22 23:15 . 2008-09-22 23:15 <DIR> d-------- J:\WINDOWS\LastGood.Tmp

2008-09-22 23:15 . 2008-09-22 23:15 <DIR> d-------- J:\Program Files\ESET

2008-09-22 22:40 . 2008-09-22 22:40 24,576 --a------ J:\WINDOWS\system32\VundoFixSVC.exe

2008-09-22 22:29 . 2008-09-22 22:41 <DIR> d-------- J:\VundoFix Backups

2008-09-22 21:10 . 2008-09-22 21:13 <DIR> d-------- J:\WINDOWS\system32\CatRoot_bak

2008-09-22 02:02 . 2008-06-13 15:10 272,128 --------- J:\WINDOWS\system32\drivers\bthport.sys

2008-09-22 02:02 . 2008-06-13 15:10 272,128 -----c--- J:\WINDOWS\system32\dllcache\bthport.sys

2008-09-22 01:55 . 2008-09-22 03:02 1,374 --a------ J:\WINDOWS\imsins.BAK

2008-09-22 00:38 . 2008-06-23 18:57 6,066,176 -----c--- J:\WINDOWS\system32\dllcache\ieframe.dll

2008-09-22 00:38 . 2007-04-17 11:32 2,455,488 -----c--- J:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-09-22 00:38 . 2007-03-08 07:10 991,232 -----c--- J:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-09-22 00:38 . 2008-06-23 18:57 459,264 -----c--- J:\WINDOWS\system32\dllcache\msfeeds.dll

2008-09-22 00:38 . 2008-06-23 18:57 383,488 -----c--- J:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-09-22 00:38 . 2008-05-01 16:30 331,776 -----c--- J:\WINDOWS\system32\dllcache\msadce.dll

2008-09-22 00:38 . 2008-06-23 18:57 267,776 -----c--- J:\WINDOWS\system32\dllcache\iertutil.dll

2008-09-22 00:38 . 2008-06-23 18:57 63,488 -----c--- J:\WINDOWS\system32\dllcache\icardie.dll

2008-09-22 00:38 . 2008-06-23 18:57 52,224 -----c--- J:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-09-22 00:38 . 2008-06-23 11:20 13,824 -----c--- J:\WINDOWS\system32\dllcache\ieudinit.exe